Adversaries may use malicious SVG files to exploit vulnerabilities in applications that render SVG content, allowing for code execution or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or persistence mechanisms early in the attack lifecycle.
KQL Query
let SuspiciousDisplayNames = pack_array("Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "IT Support", "Helpdesk");
EmailAttachmentInfo
| where FileName contains ".svg" and FileType == "html" // SVG files which render as only an image will display FileType as Text, unless containing Javascript which displays FileType as Html
| join EmailEvents on NetworkMessageId
// | where SenderDisplayName has_any (SuspiciousDisplayNames) // Optionally remove comment to also evaluate and filter based on email display name
| where LatestDeliveryLocation == "Inbox/folder"
id: ca777d68-fdd7-4f84-8c56-7c3af68f92d3
name: Potentially malicious svg file delivered to Inbox
description: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file has been delivered into an Inbox.
description-detailed: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious .SVG file containing JavaScript has been delivered into an Inbox. Allows granular control of SVG files, compared to adding type to Common Attachment Filter. https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let SuspiciousDisplayNames = pack_array("Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "IT Support", "Helpdesk");
EmailAttachmentInfo
| where FileName contains ".svg" and FileType == "html" // SVG files which render as only an image will display FileType as Text, unless containing Javascript which displays FileType as Html
| join EmailEvents on NetworkMessageId
// | where SenderDisplayName has_any (SuspiciousDisplayNames) // Optionally remove comment to also evaluate and filter based on email display name
| where LatestDeliveryLocation == "Inbox/folder"
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Generates SVG Reports
Description: A system administrator uses a tool like Power BI or Tableau to generate daily SVG reports and automatically sends them to the team inbox via a scheduled job.
Filter/Exclusion: Exclude files generated by known reporting tools using the sender_email field or check the subject line for keywords like “Report” or “Daily Summary”.
Scenario: User Uploads SVG for Design Collaboration
Description: A graphic designer uploads an SVG file to a shared inbox for collaboration using a tool like Figma or Adobe XD, which may include SVG files as part of design assets.
Filter/Exclusion: Exclude files with a file_extension of .svg that are uploaded by users in the design team or from specific IP ranges associated with design tools.
Scenario: Email Client Auto-Generated SVG Attachments
Description: An email client like Microsoft Outlook or Thunderbird auto-generates SVG attachments when rendering HTML emails, which are then delivered to the inbox.
Filter/Exclusion: Exclude files with MIME type image/svg+xml or filter based on the content_type field to avoid false positives from email rendering.
Scenario: DevOps Pipeline Delivers SVG Artifacts
Description: A CI/CD pipeline using Jenkins or GitHub Actions delivers SVG files as part of build artifacts to a shared inbox for review by developers.
Filter/Exclusion: Exclude files with a file_name matching known artifact naming conventions or filter by the source_ip of the CI/CD system.
Scenario: User Shares SVG via Collaboration Tool
Description: A user shares an SVG file via a collaboration tool like Slack or Microsoft Teams, which may deliver the file to an inbox or shared